Article based on and adapted from Christopher Hadnagy’s “Science Behind Human Hacking” presentation at the Compass Cybersecurity Symposium, Twin River Event Center – 9/27/19
What is Social Engineering?
Social engineering is the psychological manipulation of convincing people into divulging confidential information or performing specific actions. The 4 main attack vectors for social engineering are:
- Phishing—occurring via email.
- Vishing—occurring via voice or phone call
- Smishing—occurring via text or SMS message.
- Impersonation—an attack occurring in person or real-life interaction.
Threat actors often combine multiple vectors to ensure successful execution and completion of attacks. A social engineer will often spend days collecting Open Source Intelligence (OSINT) on their target. OSINT is any information that is publicly available and easy to access. Examples of OSINT would be information you can find on the internet, like a blog, social media account, website, public government data, and other sources of information flow.
Social engineers can research OSINT about a target and begin to craft and tailor their attacks to that individual. The phishing email you receive wouldn’t look out of the ordinary or seem suspicious if it landed in your inbox. They can even call you on the phone, to make the attack seem more like a legitimate request.
What Makes Us Susceptible?
Everyone is susceptible. No one is immune to social engineering attacks and under the right conditions, anyone can easily become a victim. Hadnagy states that “social engineering takes the way humans are wired to make decisions and exploits the vulnerabilities in those processes.” For example, oxytocin and dopamine are two chemicals that are released in the brain during moments of trust and happiness.
In Dr. Paul Zak’s The Moral Molecule, Dr. Zak discusses the hormone oxytocin and its effect on the feeling of trust. Oxytocin plays a role in social bonding with others and is believed to be responsible for that “warm and fuzzy feeling” you get when you feel good about someone. Dr. Zak’s research states that oxytocin could also be released over email, phone, and when subjects weren’t able to see each other. He concluded that a face-to-face interaction wasn’t required for a moment of perceived trust to release oxytocin.
The neurotransmitter dopamine is released in the brain during moments of stimulation, happiness, and pleasure. The combination of these two can leave a target thinking less rationally and can lead to more of an impulse response. Hadnagy further states that, “The goal of the social engineer is to get you to make a decision without thinking. The more you think, the more likely you are to realize you are being manipulated, which of course is bad for the attacker.” Social engineers leverage these natural “chemical reactions” to increase the success rate of their attacks.
They will often pretend to be an authority figure or someone with professional expertise in their industry. They will say or do whatever to gain your trust, and get you to act first and think later. Social engineering attacks are dangerous because they rely on human error instead of vulnerabilities in the software or operating systems.
What Should I Do If I Suspect an Attack?
- Disconnect your system from the network by turning off your Wi-Fi or unplugging the ethernet cord.
- If you’re not sure about your internet connection, completely turn off your computer.
- Forward the email to your IT department from your mobile device.
- Immediately alert your supervisors and notify fellow employees.
You can also use these tips if you clicked on a link or downloaded an attachment in a suspicious email!
When it comes to social engineering attacks, awareness and education are key. Informing your fellow employees of a social engineering attack can mean the difference between a compromised network and nothing harmful happening! Remember, no one is completely impervious to a social engineering attack. Being alert and knowing the warning signs can help you protect yourself against most attacks.
If you’d like to learn more about phishing attacks, visit www.ITsupportRI.com/scam-school.